Analysis
-
max time kernel
151s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2024 04:21
Behavioral task
behavioral1
Sample
14aa8760fa3e3d00d2b0e18b6491dc4f_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
14aa8760fa3e3d00d2b0e18b6491dc4f_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
14aa8760fa3e3d00d2b0e18b6491dc4f_JaffaCakes118.exe
-
Size
645KB
-
MD5
14aa8760fa3e3d00d2b0e18b6491dc4f
-
SHA1
3d02f92123ce0aed6788e7a8c5fd32489ef94f2b
-
SHA256
580cdee9a1dcaa2c53c97cb0685058e81db7dd7b234c5f5818d8d44cec7548fb
-
SHA512
f14ec0ee64559e410ad43ca1d490df5f8da8a19527727996be81f461ab32d513437e62a2d4e2926f05e21653bde492ba66bc9af79d6295ec132d6eeebf71d854
-
SSDEEP
12288:Tzo75/bUOEXYKZYsw5Eq65otrGaUtzAyFVpzM4TjVlZP+/lA/DL0+5kG:I75IbYAY/5EqIotKHtkyFg2VTkADA+5F
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 14aa8760fa3e3d00d2b0e18b6491dc4f_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation magiclink.exe -
Executes dropped EXE 64 IoCs
pid Process 4040 magiclink.exe 5604 magiclink.exe 5768 magiclink.exe 5568 magiclink.exe 4544 magiclink.exe 5536 magiclink.exe 5076 magiclink.exe 1092 magiclink.exe 1580 magiclink.exe 556 magiclink.exe 3332 magiclink.exe 3748 magiclink.exe 2692 magiclink.exe 2884 magiclink.exe 440 magiclink.exe 1104 magiclink.exe 3232 magiclink.exe 4304 magiclink.exe 3400 magiclink.exe 3556 magiclink.exe 5392 magiclink.exe 5628 magiclink.exe 5760 magiclink.exe 4408 magiclink.exe 464 magiclink.exe 5936 magiclink.exe 4812 magiclink.exe 4508 magiclink.exe 432 magiclink.exe 4560 magiclink.exe 340 magiclink.exe 2208 magiclink.exe 5020 magiclink.exe 4124 magiclink.exe 2308 magiclink.exe 3920 magiclink.exe 4412 magiclink.exe 4672 magiclink.exe 6052 magiclink.exe 2480 magiclink.exe 4196 magiclink.exe 844 magiclink.exe 5308 magiclink.exe 3208 magiclink.exe 3400 magiclink.exe 4768 magiclink.exe 3204 magiclink.exe 5604 magiclink.exe 5408 magiclink.exe 2412 magiclink.exe 5916 magiclink.exe 464 magiclink.exe 3216 magiclink.exe 3284 magiclink.exe 3160 magiclink.exe 1380 magiclink.exe 2440 magiclink.exe 6068 magiclink.exe 4352 magiclink.exe 3624 magiclink.exe 4496 magiclink.exe 5128 magiclink.exe 2720 magiclink.exe 4952 magiclink.exe -
resource yara_rule behavioral2/memory/2620-0-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/files/0x000800000002326a-11.dat upx behavioral2/memory/2620-16-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/4040-17-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/2620-26-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/4040-32-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/5604-31-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/5604-45-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/5768-57-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/5568-68-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/4544-69-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/4544-81-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/5536-93-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/5076-105-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/1580-117-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/1092-118-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/1580-137-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/556-142-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/3748-155-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/3332-154-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/2692-166-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/3748-175-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/2884-178-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/2692-179-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/2884-186-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/440-193-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/1104-200-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/3232-207-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/3400-213-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/4304-214-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/3556-222-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/3400-221-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/3556-229-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/5392-230-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/5628-238-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/5392-237-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/5628-244-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/5760-250-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/4408-257-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/5936-265-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/464-264-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/5936-276-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/4812-279-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/4508-286-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/432-287-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/432-294-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/4560-301-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/340-312-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/2208-315-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/5020-316-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/5020-322-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/4124-329-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/2308-330-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/2308-336-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/3920-343-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/4412-350-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/4672-356-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/6052-362-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/2480-363-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/2480-369-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/4196-376-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/844-383-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/5308-389-0x0000000000400000-0x000000000061E000-memory.dmp upx behavioral2/memory/3208-396-0x0000000000400000-0x000000000061E000-memory.dmp upx -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification \??\c:\windows\SysWOW64\magiclink.exe magiclink.exe File created \??\c:\windows\SysWOW64\magiclink.exe magiclink.exe File opened for modification \??\c:\windows\SysWOW64\magiclink.exe magiclink.exe File opened for modification \??\c:\windows\SysWOW64\magiclink .exe magiclink.exe File opened for modification \??\c:\windows\SysWOW64\magiclink.exe magiclink.exe File opened for modification \??\c:\windows\SysWOW64\magiclink.exe magiclink.exe File opened for modification \??\c:\windows\SysWOW64\magiclink .exe magiclink.exe File opened for modification \??\c:\windows\SysWOW64\magiclink.exe magiclink.exe File opened for modification \??\c:\windows\SysWOW64\magiclink.exe magiclink.exe File opened for modification \??\c:\windows\SysWOW64\systemdllx.vxd magiclink.exe File opened for modification \??\c:\windows\SysWOW64\magiclink.exe magiclink.exe File opened for modification \??\c:\windows\SysWOW64\magiclink .exe magiclink.exe File opened for modification \??\c:\windows\SysWOW64\magiclink.exe magiclink.exe File opened for modification \??\c:\windows\SysWOW64\systemdllx.vxd magiclink.exe File opened for modification \??\c:\windows\SysWOW64\systemdllx.vxd magiclink.exe File opened for modification \??\c:\windows\SysWOW64\magiclink .exe magiclink.exe File opened for modification \??\c:\windows\SysWOW64\magiclink .exe magiclink.exe File opened for modification \??\c:\windows\SysWOW64\magiclink.exe magiclink.exe File opened for modification \??\c:\windows\SysWOW64\systemdllx.vxd magiclink.exe File opened for modification \??\c:\windows\SysWOW64\systemdllx.vxd magiclink.exe File opened for modification \??\c:\windows\SysWOW64\systemdllx.vxd magiclink.exe File opened for modification \??\c:\windows\SysWOW64\systemdllx.vxd magiclink.exe File opened for modification \??\c:\windows\SysWOW64\magiclink.exe magiclink.exe File opened for modification \??\c:\windows\SysWOW64\magiclink .exe magiclink.exe File opened for modification \??\c:\windows\SysWOW64\systemdllx.vxd magiclink.exe File opened for modification \??\c:\windows\SysWOW64\magiclink .exe magiclink.exe File opened for modification \??\c:\windows\SysWOW64\magiclink .exe magiclink.exe File opened for modification \??\c:\windows\SysWOW64\magiclink.exe magiclink.exe File created \??\c:\windows\SysWOW64\magiclink.exe magiclink.exe File opened for modification \??\c:\windows\SysWOW64\magiclink.exe magiclink.exe File created \??\c:\windows\SysWOW64\magiclink.exe magiclink.exe File opened for modification \??\c:\windows\SysWOW64\magiclink.exe magiclink.exe File opened for modification \??\c:\windows\SysWOW64\magiclink.exe magiclink.exe File created \??\c:\windows\SysWOW64\magiclink.exe magiclink.exe File opened for modification \??\c:\windows\SysWOW64\systemdllx.vxd magiclink.exe File created \??\c:\windows\SysWOW64\magiclink.exe magiclink.exe File opened for modification \??\c:\windows\SysWOW64\systemdllx.vxd magiclink.exe File created \??\c:\windows\SysWOW64\magiclink.exe magiclink.exe File opened for modification \??\c:\windows\SysWOW64\systemdllx.vxd magiclink.exe File opened for modification \??\c:\windows\SysWOW64\magiclink .exe magiclink.exe File opened for modification \??\c:\windows\SysWOW64\magiclink .exe magiclink.exe File opened for modification \??\c:\windows\SysWOW64\magiclink .exe magiclink.exe File opened for modification \??\c:\windows\SysWOW64\magiclink .exe magiclink.exe File opened for modification \??\c:\windows\SysWOW64\magiclink.exe magiclink.exe File opened for modification \??\c:\windows\SysWOW64\systemdllx.vxd magiclink.exe File opened for modification \??\c:\windows\SysWOW64\magiclink.exe magiclink.exe File created \??\c:\windows\SysWOW64\magiclink.exe magiclink.exe File created \??\c:\windows\SysWOW64\magiclink.exe magiclink.exe File opened for modification \??\c:\windows\SysWOW64\systemdllx.vxd magiclink.exe File opened for modification \??\c:\windows\SysWOW64\magiclink .exe magiclink.exe File opened for modification \??\c:\windows\SysWOW64\magiclink .exe magiclink.exe File created \??\c:\windows\SysWOW64\magiclink.exe magiclink.exe File opened for modification \??\c:\windows\SysWOW64\magiclink.exe magiclink.exe File opened for modification \??\c:\windows\SysWOW64\systemdllx.vxd magiclink.exe File opened for modification \??\c:\windows\SysWOW64\systemdllx.vxd magiclink.exe File created \??\c:\windows\SysWOW64\magiclink.exe magiclink.exe File opened for modification \??\c:\windows\SysWOW64\systemdllx.vxd magiclink.exe File opened for modification \??\c:\windows\SysWOW64\magiclink.exe magiclink.exe File opened for modification \??\c:\windows\SysWOW64\magiclink .exe magiclink.exe File created \??\c:\windows\SysWOW64\magiclink.exe magiclink.exe File opened for modification \??\c:\windows\SysWOW64\magiclink.exe magiclink.exe File opened for modification \??\c:\windows\SysWOW64\magiclink.exe magiclink.exe File opened for modification \??\c:\windows\SysWOW64\systemdllx.vxd magiclink.exe File opened for modification \??\c:\windows\SysWOW64\magiclink.exe magiclink.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2620 wrote to memory of 4040 2620 14aa8760fa3e3d00d2b0e18b6491dc4f_JaffaCakes118.exe 91 PID 2620 wrote to memory of 4040 2620 14aa8760fa3e3d00d2b0e18b6491dc4f_JaffaCakes118.exe 91 PID 2620 wrote to memory of 4040 2620 14aa8760fa3e3d00d2b0e18b6491dc4f_JaffaCakes118.exe 91 PID 4040 wrote to memory of 5604 4040 magiclink.exe 92 PID 4040 wrote to memory of 5604 4040 magiclink.exe 92 PID 4040 wrote to memory of 5604 4040 magiclink.exe 92 PID 5604 wrote to memory of 5768 5604 magiclink.exe 93 PID 5604 wrote to memory of 5768 5604 magiclink.exe 93 PID 5604 wrote to memory of 5768 5604 magiclink.exe 93 PID 5768 wrote to memory of 5568 5768 magiclink.exe 94 PID 5768 wrote to memory of 5568 5768 magiclink.exe 94 PID 5768 wrote to memory of 5568 5768 magiclink.exe 94 PID 5568 wrote to memory of 4544 5568 magiclink.exe 97 PID 5568 wrote to memory of 4544 5568 magiclink.exe 97 PID 5568 wrote to memory of 4544 5568 magiclink.exe 97 PID 4544 wrote to memory of 5536 4544 magiclink.exe 100 PID 4544 wrote to memory of 5536 4544 magiclink.exe 100 PID 4544 wrote to memory of 5536 4544 magiclink.exe 100 PID 5536 wrote to memory of 5076 5536 magiclink.exe 101 PID 5536 wrote to memory of 5076 5536 magiclink.exe 101 PID 5536 wrote to memory of 5076 5536 magiclink.exe 101 PID 5076 wrote to memory of 1092 5076 magiclink.exe 103 PID 5076 wrote to memory of 1092 5076 magiclink.exe 103 PID 5076 wrote to memory of 1092 5076 magiclink.exe 103 PID 1092 wrote to memory of 1580 1092 magiclink.exe 104 PID 1092 wrote to memory of 1580 1092 magiclink.exe 104 PID 1092 wrote to memory of 1580 1092 magiclink.exe 104 PID 1580 wrote to memory of 556 1580 magiclink.exe 105 PID 1580 wrote to memory of 556 1580 magiclink.exe 105 PID 1580 wrote to memory of 556 1580 magiclink.exe 105 PID 556 wrote to memory of 3332 556 magiclink.exe 108 PID 556 wrote to memory of 3332 556 magiclink.exe 108 PID 556 wrote to memory of 3332 556 magiclink.exe 108 PID 3332 wrote to memory of 3748 3332 magiclink.exe 109 PID 3332 wrote to memory of 3748 3332 magiclink.exe 109 PID 3332 wrote to memory of 3748 3332 magiclink.exe 109 PID 3748 wrote to memory of 2692 3748 magiclink.exe 110 PID 3748 wrote to memory of 2692 3748 magiclink.exe 110 PID 3748 wrote to memory of 2692 3748 magiclink.exe 110 PID 2692 wrote to memory of 2884 2692 magiclink.exe 111 PID 2692 wrote to memory of 2884 2692 magiclink.exe 111 PID 2692 wrote to memory of 2884 2692 magiclink.exe 111 PID 2884 wrote to memory of 440 2884 magiclink.exe 112 PID 2884 wrote to memory of 440 2884 magiclink.exe 112 PID 2884 wrote to memory of 440 2884 magiclink.exe 112 PID 440 wrote to memory of 1104 440 magiclink.exe 114 PID 440 wrote to memory of 1104 440 magiclink.exe 114 PID 440 wrote to memory of 1104 440 magiclink.exe 114 PID 1104 wrote to memory of 3232 1104 magiclink.exe 115 PID 1104 wrote to memory of 3232 1104 magiclink.exe 115 PID 1104 wrote to memory of 3232 1104 magiclink.exe 115 PID 3232 wrote to memory of 4304 3232 magiclink.exe 116 PID 3232 wrote to memory of 4304 3232 magiclink.exe 116 PID 3232 wrote to memory of 4304 3232 magiclink.exe 116 PID 4304 wrote to memory of 3400 4304 magiclink.exe 117 PID 4304 wrote to memory of 3400 4304 magiclink.exe 117 PID 4304 wrote to memory of 3400 4304 magiclink.exe 117 PID 3400 wrote to memory of 3556 3400 magiclink.exe 119 PID 3400 wrote to memory of 3556 3400 magiclink.exe 119 PID 3400 wrote to memory of 3556 3400 magiclink.exe 119 PID 3556 wrote to memory of 5392 3556 magiclink.exe 120 PID 3556 wrote to memory of 5392 3556 magiclink.exe 120 PID 3556 wrote to memory of 5392 3556 magiclink.exe 120 PID 5392 wrote to memory of 5628 5392 magiclink.exe 121
Processes
-
C:\Users\Admin\AppData\Local\Temp\14aa8760fa3e3d00d2b0e18b6491dc4f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\14aa8760fa3e3d00d2b0e18b6491dc4f_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5604 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5768 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5568 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5536 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:556 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:440 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5392 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:5628 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:5760 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4408 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
PID:464 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:5936 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4812 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4508 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:432 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4560 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:340 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"33⤵
- Checks computer location settings
- Executes dropped EXE
PID:2208 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"34⤵
- Checks computer location settings
- Executes dropped EXE
PID:5020 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"35⤵
- Executes dropped EXE
PID:4124 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"36⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2308 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"37⤵
- Executes dropped EXE
PID:3920 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4412 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"39⤵
- Executes dropped EXE
PID:4672 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"40⤵
- Checks computer location settings
- Executes dropped EXE
PID:6052 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"41⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2480 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4196 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:844 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"44⤵
- Checks computer location settings
- Executes dropped EXE
PID:5308 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"45⤵
- Checks computer location settings
- Executes dropped EXE
PID:3208 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"46⤵
- Executes dropped EXE
PID:3400 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4768 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"48⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:3204 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5604 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5408 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"51⤵
- Checks computer location settings
- Executes dropped EXE
PID:2412 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"52⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:5916 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:464 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"54⤵
- Checks computer location settings
- Executes dropped EXE
PID:3216 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"55⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:3284 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3160 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"57⤵
- Checks computer location settings
- Executes dropped EXE
PID:1380 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2440 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"59⤵
- Checks computer location settings
- Executes dropped EXE
PID:6068 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"60⤵
- Checks computer location settings
- Executes dropped EXE
PID:4352 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"61⤵
- Executes dropped EXE
PID:3624 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"62⤵
- Checks computer location settings
- Executes dropped EXE
PID:4496 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"63⤵
- Checks computer location settings
- Executes dropped EXE
PID:5128 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"64⤵
- Executes dropped EXE
PID:2720 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"65⤵
- Checks computer location settings
- Executes dropped EXE
PID:4952 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"66⤵
- Checks computer location settings
- Drops file in System32 directory
PID:3188 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"67⤵PID:5360
-
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"68⤵
- Drops file in System32 directory
PID:5560 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"69⤵
- Checks computer location settings
PID:1588 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"70⤵
- Drops file in System32 directory
PID:1104 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"71⤵
- Drops file in System32 directory
PID:6004 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"72⤵
- Checks computer location settings
- Drops file in System32 directory
PID:3128 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"73⤵
- Checks computer location settings
PID:2952 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"74⤵
- Drops file in System32 directory
PID:2556 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"75⤵
- Checks computer location settings
- Drops file in System32 directory
PID:3556 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"76⤵
- Checks computer location settings
- Drops file in System32 directory
PID:6088 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"77⤵
- Drops file in System32 directory
PID:6100 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"78⤵PID:2548
-
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"79⤵PID:3812
-
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"80⤵
- Checks computer location settings
PID:5488 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"81⤵
- Checks computer location settings
PID:5972 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"82⤵
- Checks computer location settings
- Drops file in System32 directory
PID:4812 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"83⤵PID:3888
-
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"84⤵
- Checks computer location settings
PID:6124 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"85⤵
- Drops file in System32 directory
PID:5812 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"86⤵
- Checks computer location settings
PID:2168 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"87⤵
- Checks computer location settings
- Drops file in System32 directory
PID:3792 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"88⤵
- Checks computer location settings
PID:340 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"89⤵
- Checks computer location settings
- Drops file in System32 directory
PID:5008 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"90⤵PID:3324
-
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"91⤵
- Drops file in System32 directory
PID:2776 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"92⤵
- Drops file in System32 directory
PID:5896 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"93⤵
- Drops file in System32 directory
PID:3392 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"94⤵
- Checks computer location settings
PID:2588 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"95⤵
- Checks computer location settings
PID:3952 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"96⤵PID:6136
-
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"97⤵
- Checks computer location settings
PID:1616 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"98⤵
- Checks computer location settings
- Drops file in System32 directory
PID:440 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"99⤵
- Checks computer location settings
PID:968 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"100⤵
- Checks computer location settings
PID:3968 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"101⤵
- Drops file in System32 directory
PID:6092 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"102⤵
- Checks computer location settings
PID:3948 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"103⤵PID:4904
-
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"104⤵
- Checks computer location settings
PID:4148 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"105⤵PID:1168
-
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"106⤵PID:3556
-
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"107⤵
- Checks computer location settings
PID:6088 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"108⤵
- Checks computer location settings
- Drops file in System32 directory
PID:5408 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"109⤵
- Checks computer location settings
PID:2956 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"110⤵
- Drops file in System32 directory
PID:6112 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"111⤵
- Checks computer location settings
- Drops file in System32 directory
PID:2532 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"112⤵
- Drops file in System32 directory
PID:5544 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"113⤵
- Drops file in System32 directory
PID:4652 -
C:\windows\SysWOW64\magiclink.exe"C:\windows\system32\magiclink.exe"114⤵PID:5496
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3904 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:81⤵PID:768
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255B
MD5997b2a8efaa6b95f9d88c9af9bceaf8e
SHA1bd4806ee779602171154c7d679b26af5b9bc3405
SHA2563dc1a86a4172dbee0a1ace3a6a7fa733a368ddf1c9ec28dc410366a6b015faa2
SHA512e1ca4e27f95b4d382a4cf13e33ef91bcdf7cea8029ee3b11e6f68b8c2d757e0cee1c982ab2badff0b03865b8d56fa624115420bf41d6b5df92790718adf9d9f7
-
Filesize
1000B
MD5545a67d28de528c88e42c41b05693963
SHA183bba65a5bc8bbf58ef33a0507a328b6b74bba88
SHA256a82df735cc734795b819657b152d756c0fbef394338997eacb7398d8024b5853
SHA5120632600814005c11e2e8cdf17668040ba291d61f8702853b05357744fba74ff12e826661f6028932305a80fdffb79a9a41b55e9d9f3a9ab026530d7acd1e3a7e
-
Filesize
645KB
MD514aa8760fa3e3d00d2b0e18b6491dc4f
SHA13d02f92123ce0aed6788e7a8c5fd32489ef94f2b
SHA256580cdee9a1dcaa2c53c97cb0685058e81db7dd7b234c5f5818d8d44cec7548fb
SHA512f14ec0ee64559e410ad43ca1d490df5f8da8a19527727996be81f461ab32d513437e62a2d4e2926f05e21653bde492ba66bc9af79d6295ec132d6eeebf71d854
-
Filesize
20B
MD5641c989202ef4416e0ed0aebb95ae049
SHA1036fece8123492b27074e0c4109f3b351474c0cd
SHA25622337c145100557586348e61b5f5bb928f2826617dcdb1df1872c3f65385855d
SHA512c931ba5c46eed8e009570015b5e5be5cf5e4046626472699010373b89fdfff46ac42132ebece79edd774812cd795dc358418a94eacb2d43b9e6060258022450c
-
Filesize
405KB
MD53240e086a353fc80470b8f810da9ae91
SHA145277d99d9b78634a13607e1d395f94972d3550c
SHA2569a7e85faf7130a0722b133992ed324239abdfdb1fb2a2cbf6bcfae03e75fb193
SHA51243d46874c6272424299949cb3215c0ceb78ab912ebecb4dd9d2f847a0297caf57bcb693b07ef7c4c69d98e16b21c153a76a1a52f8b04c1c6db4708a5f2e4f668
-
Filesize
20B
MD5b52c5813deb102d626f3226385bdcba9
SHA181d564737cc6f265e07a95d21a1f91f98b058269
SHA2569c6dd67c94de0eb01997d3227d58342367afe7fea8a5edfe444a4049d14ff08b
SHA5120bd1d8af4cc65a1e2941f0ac33802a09b231109c9685444f763b01e7a63ce211d189df3e1384bea2f665fc2d8e388c4625dd61099393b8017b91e37b57c9b8ae
-
Filesize
20B
MD5284e432abdead511364e04b9429896ad
SHA1de6071a90a2a5dac576e565df008c9dce35e2785
SHA25663d57908e11e10407c8f71b87a89306cba9b33f64c563996b1e1b45c4466956a
SHA512f157f79017ec64b69cccacb617a288c939d006e6a9820ae1834826ab26880b2175fc8c2c473ccff2dc9b6f537f96a38f7033539cfa23555db5390d1d71187d35
-
Filesize
20B
MD5a33e4143af856e7a94ba496d1c4a096d
SHA1373af3f18613d866fc846d08d216754aff402b5b
SHA2568d4c47523610b1e64c908e9781f4a1d9bb356b8d6589c9093e477a3b689417bc
SHA512f5f13c44cb0c7e2ccb7350096f7e5022ec0314acc76c2ad0efdd0290acee834377547ba93d41fd4b04d81067739d65f875e0d69dcaf88eb9f181dee5474dad01
-
Filesize
20B
MD549c8687d8ba8b2d832abe9d3439e239b
SHA13a3649488e09d18be7d54bae95e799a345881686
SHA2561bc3df90840dc1ef2576a6aaef445f5b9254c8242881a0364c0d6c6800ab6ae8
SHA512ce676120876c9b3a913eb2267537c0be57dbd312b534cff11b79b924fa2288028e35f6dcd94f3af0b850c55150a15192e8d9301dfba14aba47ff1a73a44409d9
-
Filesize
20B
MD547b86ecdf493e9e38b40fc51dfabe640
SHA1bf8ea8c03c42d8d8f9e6ec033dc317083bf890ed
SHA25631b6253e5354125245557855df72cd2c17a4f851120b26d30da24bb983a3af40
SHA51291e1cfcc005e1323a48f228d1d5af6f99176fddf4e50f3da5b33374828bb23ed0180193ca08137c23373eb02d6b3956141c0f6a26d71d74d83d0de767f8cf118
-
Filesize
20B
MD501cd11568352fa4d3aabe0a1b252bf97
SHA151958dc562eee3d748e9d158fd55000261fe1a13
SHA256941b77cc6857d1522c3af78c6389af06d6ffe6e054687c119d5b03407e6a3272
SHA512feba7c1e72341f7362befb5e7480ee0b2e22b7a3ecb2d0f1d365d9fae45ec6f1dbb535510c7803bc1f2dfa90138dba21dab8d1545ac93e2a28251b6c7a490c9e
-
Filesize
20B
MD5f479945b54eebcc067aa7ee4247445d7
SHA1c96b3acd7f77a27bfe7a89359b8f6f5f3a3476b2
SHA25655e82b8e87e6e09e69b0d09a0f5ceafdada88a1eb331e9dc3f4e315edd8c1b36
SHA51221298efbafddf6ab4bfccdad3bd95e998aae7ba96cffc7dec58c1a250bdbcb0b37009d6cda225be1dcc5f9335eaca63f0b042db4d59d084108891571332d6aec
-
Filesize
20B
MD527d2d139a9a26dc55a008f1e4c502726
SHA115b7486b1b0fa549b40ff1698a5cff2fbbf10ac2
SHA256ee16881d75f9d723404e9a19a175d71bc9dbdbe9a98f22b39f98066f0e0bb7de
SHA5123ae02dabe2235098fb77f765f11c4eacf849d3011e27984a60160d6feff771cabd35135bcd49665e854d20f8237b9cafef1eb80018c88ab0267e795d635633a3
-
Filesize
20B
MD5d3ee2768034c6ea119f0cf9a1a3e1553
SHA1b3028fe3cf203787fb5b87be495c48054a367d82
SHA25630e765fda05a0f250e5a01b0cf0adcc69bc0ffcb4cb967cfed1c4798935eb4b1
SHA5123a7757b7ac3fce9b590be4472185f742d3e09a80945fd0c69ef609b5d61b031654210aeec3f7f0c48ef581bf9667260876820b44620b7a58af60b5b081512c43
-
Filesize
20B
MD5bdb503d7505f35eeec34c944632cbc15
SHA1ba75cb31629863e6d100675577ff10b4a3edb7d9
SHA2560985e560a3b41a7559a075b6d15f936fe6a30328e5bbcacd8b5717e1a90bfa2f
SHA512ade91431a2d0cd0c262fa7579df7713696ab00adc60cf239af3085066b9a65c781b6f2ff3713790798c9314f44c6e3484998d8e31aa379f2161f8527900f4929
-
Filesize
20B
MD53f21e066a4c7eea6d1dff1d8beafb4ea
SHA1075443556068e6b846c4e4613961f0121e402437
SHA2565f8f247e7d36b55d650ede0fe83fb04393ee6d36d40f26125388921eda0ca929
SHA512609a762e1fd705615b7312f08ab445758a016c739c71db22e6d34d0a94ecb48b7979d392b19234ad798998c035b1fbd92c4649b39d5aeddd8fbe346981cea3e0